Introduction

We are committed to protecting personal data and to complying with the Data Protection Act 2018 (DPA) and the United Kingdom General Data Protection Regulation (UK GDPR). Turbin and Turbin Limited is registered with the Information Commissioner's Office as a data controller, with the registration number ZB769097.

This privacy statement explains how, as a data controller, we collect and use the personal data of individuals ('data subjects'). Data subjects may be our clients or others whose data we collect during the course of our business interactions. We shall only use personal data for the purposes described in this privacy statement or for the purposes explained to the data subject at the point of collecting their personal data.

How we might receive personal data

We may obtain personal data directly from a data subject if and when they:

• request a proposal from us in respect of the services we provide;

• engage us to provide our services and also during the provision of those services;

• contact us, for whatever reason, by email, telephone, post, or via our website or social media.

We may also obtain personal data indirectly:

• from an employer,

• from third parties (for example, from the data subject’s bank or from HMRC),

• from publicly available sources (for example, from Companies House).

This list is not exhaustive. If and when it becomes necessary (or in the data subject’s interests) to obtain personal data from third parties, the data subject will usually have been made aware that we intend to do so.

The lawful bases on which we process personal data

The lawful bases on which we process personal data are as follows:

• consent – where a data subject has given consent to the processing of their personal data for one or more specific purposes;

• consent – where a website visitor agrees to analytics cookies for the purpose of understanding website use;

• contract – where processing is necessary to meet our obligations under a contract to which the data subject is party (or to take steps at their request prior to entering into a contract);

• legal obligations – where processing is necessary for compliance with a legal obligation to which we are subject;

• public interest – where processing is necessary for the performance of a task carried out in the public interest;

• legitimate interests – where processing is necessary for the purposes of pursuing our legitimate interests, or the legitimate interests of another party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

Why we process personal data

We process personal data to be able to:

• meet our responsibilities to a client under our engagement letter and the provision of services agreements that exist between us,

• meet a client’s wider expectations of our professional relationship, including providing information ancillary to the services agreed under the engagement letter and provision of services agreements,

• contact a client about other services we provide which may be of interest to them, if the client has consented to us doing so,

• comply with legal and regulatory requirements, including anti-money laundering and health and safety compliance, and

• further our legitimate interests.

The following sections relate the lawful bases on which we process personal data to the various reasons for which we expect to process personal data:

• Under the engagement letter and provision of services agreements: Contract

• Meeting clients’ wider expectations of our professional relationship: Consent

• Contacting a client about other services that may be of interest: Consent

• Complying with legal and regulatory requirements: Legal obligations, Public interest

• Furthering our legitimate interests: Legitimate interests

Our legitimate interests in processing personal data include the requirement that we comply with our legal and regulatory obligations and are seen to do so. We may also process personal data for the purposes of our practice management and development, including statistical analysis.

Website analytics and cookies

We use google services to understand and improve how visitors use our website. This includes:

•  Google Analytics (GA4)- to collect aggregated information such as page visits, device type and general geographic area.

• Google Search Console- to monitor our websites visibility in Google Search and resolve technical or indexing issues.

Google Analytics operates on the basis of user consent under the UK GDPR.

Analytics cookies are not set until the user gives explicit consent via our website cookie banner. If the user declines, Analytics tracking is disabled.

Data minimisation and anonymisation:

• Google Analytics 4 does not store or log full IP addresses.

• We have disabled advertising features and cross-device tracking.

• We retain analytics data for a maximum of two months.

Data sharing and transfers:

Data may be processed by Google Ireland Limited acting as our data processor.

In some cases, Google may transfer limited data outside the UK/EEA under it’s Data Processing Terms and Standard Contractual Clauses.

Opt-Out:

Visitors can withdraw or change their cookie preferences at any time via the “Cookie Settings” link on our website or by using Google’s opt-out add-on.

Google Search Console:

Google Search Console only provides aggregated performance data and does not involve the use of cookies or collection of personal data from visitors.

Data security

We have put in place appropriate and proportionate security measures to address the risk of personal data being lost, used, altered or accessed in an unauthorised way. We limit access to personal data to those who have a business need to access it, and who will only process the personal data on our instructions.

Nevertheless, no data transmission over the internet, or any other network, can ever be regarded as wholly secure, and we have in place measures to deal with any suspected breach of data security. Those measures include clear policies and procedures, which are periodically reviewed to ensure they are effective and fit for purpose.

Data sharing

We share personal data with third parties when absolutely necessary for the purposes for which we process it. We may also share personal data, with the consent of the data subject, where it is necessary to administer the relationship between us, or where we have another legitimate interest in doing so.

'Third parties' includes third-party service providers, for example, providers of:

• IT services,

• professional advisory services,

• insurance, and

• administration services.

This list is not exhaustive. We only permit third-party service providers to process personal data for specified purposes and in accordance with our instructions, where appropriate contractual arrangements and security mechanisms are in place.

We may transfer personal data we collect about you to the following countries; United States and EEA, in order to perform our contract with you. A transfer of personal data outside the United Kingdom will only occur if we are satisfied that the country to which the data is to be transferred provides a level of personal data protection comparable to that provided by UK GDPR.

We shall share personal data to the extent necessary in order to:

• meet our responsibilities under our provision of services agreements with clients,

• fulfil our obligations to a regulator,

• enable effective quality control over our technical work, and

• comply with our legal obligations.

Data retention

When determining the appropriate period of retention for personal data, we shall consider the requirements of our business, the services provided, any legal and regulatory obligations, and the purposes for which we originally collected the data.

We shall only retain personal data for as long as there is a legal basis for doing so.

In accordance with recognised good practice within the accountancy profession, we usually retain records, including personal data, as follows:

• Tax return information and accounting records are retained for seven years from the end of the tax year to which that information relates.

• Information and records relating to advisory work are retained for seven years from the date the business relationship ceased.

• Where we have an ongoing client relationship, information that is of ongoing relevance to our engagement is retained throughout the period of the engagement and deleted seven years after the end of the business relationship.

Website analytics data is retained for no longer than two months.

Individuals’ rights regarding their data

It is important that the data we hold is accurate and current. Should a data subject’s personal information change, they should ensure that we are notified of those changes of which we need to be made aware.

Data subjects have certain rights over their personal data that we process as data controller. If a data subject exercises any of those rights we shall aim to respond promptly. However, please note that the length of time it will take us to respond will be dependent on the nature and extent of the request.

A data subject has a right to:

• request access to their personal data under Article 15 of UK GDPR - enabling them to receive a copy of their personal data that we hold;

• request rectification under Article 16 - of any errors or inaccuracies in their personal data that we hold;

• request erasure of their personal data under Article 17 – where there is no good reason for us continuing to process it, or where they have exercised their right to object to processing (see below);

• object to processing of their personal data under Article 21 - where we have been relying on a legitimate interest as the basis for processing their data, which they believe is overridden by their own interests or rights;

• request the restriction of processing of their personal data under Article 18 - asking us to suspend processing their personal data if, for example, they wish to establish its accuracy or the reason for processing it;

• withdraw consent under Article 7 - where we have been processing their personal data based on their consent;

• request the transfer of their personal data to them or to another data controller under Article 20.

If you wish to exercise any of your rights as data subject, please email Joel Turbin at Joelturbin@turbinturbin.co.uk.

Contact details

If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process personal data, please email Joel Turbin at Joelturbin@turbinturbin.co.uk, or telephone 01902936988.

A data subject also has the right to make a complaint to the Information Commissioner's Office, whose address is:

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Telephone: 0303 123 1113

Website - www.ico.org.uk/concerns